Jump to content

Sql Injection


rswildy
 Share

Recommended Posts

Can you check these 2 functions i wrote up and tell me anything i should change or is not needed. Also explain anything that needs adding to it.I need suggestions, I'm creating a script that is not vulnerable to SQL attacks and my framework is going to be open source.

	/*	*	Encode the value to stop SQL	*	injection.	*/	function mysql_encode ($value)	{		$value = trim($value);		$value = nl2br($value);		$value = htmlentities($value, ENT_QUOTES);  		if ($value == null) {			$value = 'NULL';		}		if (is_bool($value)) {			$value = $value ? 1 : 0;		}		if (is_numeric($value))		{			intval($value);		}		if (get_magic_quotes_gpc())		{			$value = stripslashes($value);		}		if (!is_numeric($value))		{			mysql_real_escape_string($value);		}		$value = addcslashes($value, '%_');		return $value;	}	/*	*	decode the value from SQL	*/	function mysql_decode ($value)	{		$value = html_entity_decode($value, ENT_QUOTES);  		if ($value == 'NULL') {			$value = '';		}		$value = stripslashes($value);		return $value;	}

Edited by rswildy
Link to comment
Share on other sites

You might be taking too many liberties with the data. An escape function really only needs to add slashes before quotes, that's really the only thing that can screw up a query (assuming string data). I'm not sure I would want my escape function to also use trim, nl2br, and htmlentities. If I wanted those operations done on the data I would do them myself. What if you have a string of binary data, are you going to want to add a <br /> tag after each 0x20 byte and then convert everything to HTML entities? You need to ask yourself why you're using the things you are. Why use htmlentities, what problem is using that function supposed to solve, how does it solve the problem, and are there any side effects?Also, all numeric values are not necessarily integers. Floats, hex, and scientific notation are examples which will pass is_numeric but are not integers.

Link to comment
Share on other sites

Also, as your code notes, you have the built in function mysql_real_escape_string(). This is the only function that you really need. It will do everything that that has to be done with the data, so that if it gets places into an SQL query, it doesn't cause an SQL injection. However, in your current code, you aren't doing anything with the returned (escaped) string.The way a query should look at the final is like (for example):

$conn = mysql_connect('localhost', 'root', '');$query = 'SELECT * FROM users WHERE name = ' . mysql_real_escape_string($conn, $_POST['username']) . ' AND password = ' . mysql_real_escape_string($conn, sha1($_POST['password']));

In other words, the mysql_encode() function you're trying to encode will pretty much be a replica of mysql_real_escape_string().

Link to comment
Share on other sites

Remember that PHP is dynamically typed with no type safety, so for all purposes 0, the integer, is much the same as 0.0, "0", or even false.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...